The Business-Technology Weave

Business success requires the ability to develop, acquire, secure, make effective use of, and dispose of, information – content. Content is simply the information that your business contains, or harbors (as to the latter, harboring can be thought of as a virtual containment – such as in The Cloud). To start with, there are two basic categories of content: business content and non-business content. Within those are two subcategories: appropriate, and not appropriate. It’s quite simple.

Most business content is appropriate, so long as it has value and relevancy. Appropriate content is that information which is necessary in the pursuit and support of your business. Non-business content is those things that aren’t of direct necessity to business. Much non-business content is tolerated, and some is even essential: as a normal lubrication in your staff’s managing of important personal affairs, and in the support of general employee morale. In either main category of content, business or non, we’ll see that inappropriate content can exist, and can pose extreme liabilities. We’ll define inappropriate content shortly. We’ll see too that there are even emerging perils to the efficient use of appropriate content.

We find that we must first identify content. We’ll explore its relationship to successful business, understand how to maximize use of content as a leveraged asset, define and minimize liability posed by all content, and learn the importance for disposing of content that has lost its value. Once we have a good understanding to all of content management’s implications, we’ll examine ways to put a system of content management in place. Different organizations will need systems of differing sizes and sophistication. Therefore, a part of our discussion of systems will include your identification of a solutions partner – a vendor – and appropriate product.

However, long before we get to the “system,” we must have a thorough understanding of what content is, what a policy of content management really constitutes, and what the solution really entails:

The ‘Solution’ Must Solve

IT and Business have to keep something simple in mind. Remember that the policy, associated process, and support system must represent a solution: everything must leverage as being helpful to Business. This is a solution – not an empty burden. Here, as anywhere, we cannot afford the false “solution.”

This solution must:

1) Identify and leverage existing, new, and accumulating content for maximum business use and success,

2) Minimize liabilities involving: inefficient access and loss of business content; the unwanted accumulation of outdated content; the distribution of conflicting content; cost of storage; damage posed by unnecessary discovery and exposure; the unwanted accumulation of non-business and inappropriate content; and burgeoning overhead in meeting necessary regulatory requirements.

3) Enable our ability to audit and report on content in an uncomplicated, fast, and effective way (in direct support to 1 and 2 above).

This will be a pairing of Business-driven policy and process with an appropriate technical solution; a further weave of business and technology. We build a sound policy, we define our process, including the right-sized technical support, we train staff, and we manage content. We complete a people, policy and process model: therefore we manage content by virtue of knowledgeable people, supported by a defined policy, supported by a sound process.

… So – how do we get there? Like most things, the devil is in the details.

As identity theft grows in terms of volume, and awareness, evermore folks are taking precautions online. Job seekers can be at particular risk, as one’s guard is often down when the excitement of a strong job opening comes our way.

We know there are spurious websites offering products and services, while at the same time soliciting personal information: Name; address; date of birth; credit card number; expiration; and so on. There are many other websites, legitimate and otherwise, that make the simple divulging of e-mail address necessary – and frankly, that can be the beginning of identity theft.

Fortunately, most of us have robust malware protection, virus protection, and even spam guards in place. But recognize that most data breaches and identity thefts are due to human error and misjudgments. Even a routine online job search can have peril.

In particular, be wary of job proposals or company notices that come your way on an unsolicited basis. Invitations to apply will include the divulging of highly personal information – and I don’t even give my name and address to someone or any entity that I don’t know, or can’t research to a very high degree of certainty for legitimacy.

As to that last point, it may in fact be difficult to certify a company as “legitimate.” Social media and marketing make it easy for false-front organizations to pose as a legitimate enterprises, with products, services, and testimonials handily displayed on Facebook and social media accounts or fancy webpages. However, regardless of your ability to certify the positive, you can dig for the negative: Search the company’s name on the web with the word “scam” after it. Other terms that come to mind are “ripoff,” “illegal,” “court action,” “shut down,” etc. You get the idea.

These days, sad to say, you must limit personal information when sending a resume. Even when sending to a trusted, known, entity or person, you cannot be entirely sure to whom that person will pass the information… and so on… through each iteration of pass. So: Don’t divulge your birthday or your social security number. In the case of your present and past jobs, don’t reveal employee ID numbers. Professional certifications, licenses, badge numbers, etc., are also a no-go. Also keep in mind that there are websites that merely pose as known, high-profile, organizations: Verify web addresses. Search to any company’s legitimate website – for example, don’t take hyperlinks that are delivered in e-mails for granted.

You should also be very circumspect about your education. Schools, years graduated, and other attendance information can give thieves a ready handle by virtue of alumni information, opening a view to all sorts of other data regarding you.

While online enablements offer broad powers to all sorts of human endeavor, be aware that these same deliver power to identity and data thieves. Job seekers need to exercise extreme caution: be sure to vet all sources and contacts.

The leverage to understanding and compliance is essential – DAPR forces, not a different question but, a set of questions:

“Are we prepared for disaster?”

“I guess so – we have a disaster recovery plan.”

“Do you have an updated awareness for current, evolving, and new disasters?”

“Well, let’s see – I guess we should list them.”

“Now that you have an awareness, are you prepared?”

“No. We’ve added some events, and we have a better understanding of others.”

“Are we properly prepared to prevent certain outcomes?”

“Prevention? I thought this was Disaster Recovery…?”

“Can you prevent harm where appropriate? For any “unpreventables” or the truly unforeseen, can you recover from those harming events – have you tested your preparedness?”

“Well, we’ll have to develop some tests, and then conduct them…”

As usual, we can leverage understanding in a powerful way when we set simple and accurate identifiers right up front. DAPR helps us to better know ‘where we are’ in getting to where we’re going (the destination of ultimate security). Disaster’s potential is a part of where we are, and we need an awareness of our surroundings as a part of that. Preparedness is a route to a destination – a journey – a ‘how do we get there’ factor. It leads us to the ‘where we’re going’ zones of prevention and recovery.

Awareness is required before you can achieve preparedness, and preparedness is necessary for requirements supporting prevention and recovery. Can you see the ‘where are we’, ‘how do we get there’, and ‘where are we going’ elements of the previous statement?

We then require the satisfaction of a test to indicate your level of success in arriving at a state of prevention or recovery – and in arriving at a properly sized DAPR position for any moment in time.

Who drives DAPR? One guess… particularly for Business, it is inadvisable to rely on a simple conversation with IT regarding this area. This is not to put down anyone’s IT endeavors, or disaster recovery efforts. This is simply because IT may feel that they’ve done the best they can regarding security of business in this regard, based on the resources they’ve been able to lobby for (including Business’ attention). It also includes IT’s belief (whether erroneous or actual) that they’ve met the Business expectation, and mounted the best mission. But here again there is an ignorance in many organizations. Business may like the numb comfort they often have in this area: Walking away with a simple “Yes, we’re covered” allows Business to go back to the core business focus of the day.

There is also a certain denial at work in many organizations, or a simple pushing aside of DAPR: “We’ll get to that next quarter, next year, soon,” etc. – or – “our vendor handles that.” But like all things in the Business-Technology Weave, the IT Enlightened Organization makes disaster awareness, preparedness, and recovery a Business-driven initiative too. Who owns “business-continuity?” IT? After all, it’s Business’ continuity. Further, IT can only establish DAPR according to its own allowance, safe-channel and lead – from Business’ sanction and support. When IT fulfills a Business expectation, Business has to make sure the expectation is sized appropriately.

To Business: You own it. It is your business that will suffer from a state of non-recovery. You must oversee DAPR, its maintenance, its evolution, its testing, and you must believe that you can rely on it to your satisfaction, values, and standards. IT will serve, participate, suggest, focus, and implement the mechanics of preventions and recoveries. IT will lead when that lead is designated by Business – but policy and planning must be driven by Business.

Understanding the Elements of DAPR: Because prevention of, and recovery from, harm is so central to security, let’s take a closer look at some of the fundamentals:

Awareness: Awareness starts with the board or governing body’s commitment to establish and maintain a Disaster Awareness, Preparedness, and Recovery (DAPR) policy and planning process. From here, all management and staff are made aware of their requirements. Everyone has a duty to conduct business in the best possible way, in the most secure fashion, in

compliance with all policies and protections. Prevention of harm begins with awareness.

If harm comes, everyone has a duty in ensuring the ability to recover from it. It requires planning at every level in order to ensure that essential business of the organization is able to continue in the face of adverse events and circumstances.

Important projects like DAPR planning have to be approved and sanctioned at the highest level in order to secure the required level of commitment and resources throughout the organization. The sale for DAPR planning should be easy to make in today’s environment – for reasons we’ve touched on. Primary is one of business’ most important foundations, which we touched on earlier:

– An Awareness Regarding the Business Foundation: Business has shifted from a mostly linear, non-abstract system of paper, filing cabinets, adding machines, and largely non-intermediary systems of support – to a virtual, almost abstract environment. It is now one of electronic bits and bytes, accessible only through the intermediary of computer systems, allied applications, and associated availability. Further, there has been a steady expansion of this foundation. Growth of wide-area networks, their ties to the internet, their ties to other business locations, and remote access that ties in home and mobile computing and all manner of other access, has exploded the vulnerabilities to be managed. Thus, through the corresponding expansion of access to this foundation – there has been expansion of exposure and expanded risk of harm.

Remember that we are talking about a foundation to business here – not some “enhancement,” appendage, or luxury. This is a foundational underpinning that you cannot allow to be knocked out from under – otherwise your business “crashes”, and you cannot “do.”

Harm to this foundation can be unintentionally sourced: things such as earthquakes, power failures, weather damage, etc. Short of nature, harm can arise from simple human mistakes or oversights: someone can corrupt the content of a database by transferring the wrong information into it. Someone may accidentally delete or move (lose) entire structures of data, break important links, and throw crucial parts of business offline.

Harm from human interaction can also be intentional: things such as acts of sabotage from within or with-out, or terror attack. We’ll take a closer look at a number of specific risks when we discuss Threats. For now, awareness starts with a true appreciation for the vulnerability to this foundation, the sheer weight and range of disruption to business should this foundation be removed for any period, and the absolute necessity in securing it to the best possible degree.

Preparedness: Preparedness should first and foremost be seen as a posture of prevention from harm. Preparedness next defines action and resources in the event of harm. Preparedness begins with its contribution to policy, such that our awareness gets translated into a plan and an outcome. The plan can then be affected to meet the policy’s stated objectives.

You can combine your policy and plan: The XYZ Corporation’s Disaster Awareness, Preparedness & Recovery Policy and Plan. In fact, your policy will not completely take shape without the plan – they are reinforcing, particularly as they develop. But a firm sense of policy must precede the plan; so as to identify your organization’s concept of DAPR, and the basic principles and levels of prevention and recovery expected (you must know the ‘where you are’ of expectations before you can plan to your ‘where you’re going’ destination of deliverables).

The policy states the mission – the detail you deem essential in explaining your organization’s critical business functions, the expectations for preventions, the required recovery protocols for disastrous harm, and responsibilities. Further, it should expose the beliefs, values, and standards for these essential business functions and their dependencies, or supports.

Because resources are not unlimited, the organization must arrive at agreement for what constitutes the greatest risks, the likelihood of events, and the impact of those events on various ranked business elements. Once your organization has agreement among various lines of business, practices, departments, agencies, etc., you then have common beliefs in what merits protection – values – and can proceed with the plan for protection and recovery of those things. We can note here that you may not achieve total agreement, but in that case the belief will at least be acknowledgment of, and agreement to, compromises made, and actions resulting.

Once things have been prioritized, you can set various standards for prevention and recovery: the planning of the what, when, how, and where. When you’ve established the mission, beliefs, values, and standards through policy, and made the plan for meeting the policy’s objectives, we define the tests that we’ll employ to validate our recovery plan.

Recovery: Unlike other Business and IT objectives, your disaster recovery posture is usually never fully realized, and never fully known. That is to say, your ability to recover from disaster does not usually evidence itself (hopefully) in a real-world manifestation – and certainly (hopefully) not at the “10” of a 10-scale catastrophic chart. Conversely, almost anything else you do is reflected back to you in the form of real-world success and feedback. For example, if you launch a new product, it either succeeds in the marketplace, or it doesn’t. You may have tested it beforehand through survey or some small market, but you will have the ultimate arbiter of the real marketplace as your final ringing authority; it will either deem your product some measure of success, or deem it a failure. You won’t have to wonder.

Disaster recovery is something we hope never to test in the real world. Of course, right up front we know that we don’t want to experience disaster – that’s obvious. But secondarily, if there is a disaster, we don’t want our recovery efforts to be the first test. A test implies an unknown – will we pass or fail the test? That is the test’s purpose – to eliminate that unknown by exposing a true level of knowledge and ability.

Therefore, we want to test beforehand by virtue of simulations – and on some regularized basis, so as to expose points of failure, and areas where we can improve. Therefore, as our environment changes, our disaster recovery testing continually exposes and helps us to eliminate unknowns – divides between our ever-new requirements, and standards for recovery. This way, we can reasonably expect a yield of success in the form of a recovery that goes according to our plan, and meets our policy’s requirements when we have to deliver on a real-world “test.” As we eliminate those aforementioned unknowns, we – do what? – we add to our awareness – a key component of DAPR.

As best we can make it, recovery from disaster needs to be efficient, effective, predictable – and safe.

NP: Ringside at Condon’s: Eddie Condon and his combo, featuring “Wild Bill” Davison. Early microgroove 33 1/3 RPM on the Savoy label. Live and jammin’ in the club. Same signal chain. Great cover shot on the jacket.

In the aftermath of the recent storm, Sandy, it’s good to examine Disaster Recovery.

Organizations, solutions partners (vendors), and practices have created a ready handle for recovery from disastrous harm – Disaster Recovery – with the attendant “Disaster Recovery (DR) Plan.” The venerable DR Plan is meant to secure business continuity in the face of harming events, or potentially harming ones. These events can be big (large scale and long-term outages, data breaches, backoffice crashes…) to those that are relatively small (short term outages, limited breach of content, etc.). I’m sure those out there can add to these quick examples.

However, security is ill served by this handle – DR – and so too are many of the plans that fall under it. “Recovery” is reactive, when we should have a plan that includes proactivity, and prevention, of disaster. Some measure of prevention is within our internal control, and some lies within our agility for sidestepping much of outside disaster’s influence. And, we strive to make disaster “transparent” to those whom we serve.

Too, mere “disaster recovery” is often given short shrift in terms of attention, resources, and any sort of test or proof of concept. Many people, particularly Business people, are left to assume their disaster recovery efforts are in place, and will work, when in fact there is no reliable evidence to support this assumption:

“Can you readily recover from disaster?”

“I guess so – we have a disaster recovery plan.”

Many don’t really know, because there’s never been an event to recover from. But they have a plan. (Place a check in that box. Sleep well).

¨ Mission will be defined by your requirements for prevention, recovery, subsequent assignments, and exercises. The mission will be associated with a policy, and the policy’s manifestation is achieved through a plan (for implementation).

¨ Beliefs include ‘prevention’ as a standard; the understanding of prevention’s true value; those things that need protection according to assessed risk and available resources; and your confidence and control.

¨ Values support your beliefs – those things valued as necessary for sustenance of business. Values will help establish that which is protected to the best point of prevention from harm. There are also those valued business elements that determine the order of recoveries according to priority (for truly unforeseen events, due to catastrophic harm that has genesis outside of the organization, and its control).

¨ Standards establish the degrees, or levels, to which your protection is certified, in supporting preventions. Too, when recovery from damage is made, standards establish a period of time for how quickly full recovery is expected or necessary. Standards can define increments of recovery, and they support the prioritization of the valued business elements through ranking of them.

¨ Tests will be those simulations of harm that you employ to expose your level of success in preventions, recoveries, restorations, and the employment of identified alternative resources.

You must satisfy yourself (believe) that you can meet your organization’s identified values and standards of business continuity in the face of disaster. These things are necessary in order to provide some assurance that the best efforts have been made according to acceptable risks and available resources.

When we arrive at that place, we find that what we really have is a policy, plan, posture – a mission – for something that is a total rebranding: DAPR.

[Note: We’re going to pick up with our sequence in the coming days, in order to close our criticism discussion with examinations of Destructive Criticism, and something I call ‘Cloaked Criticism.’ But today, let’s peg a reminder regarding criticism’s special peril in the business-technical realm. Be sure to see earlier entries in this series, below…]

Communication has suffered in the electronic age. How can this be so? After all, we’ve expanded our options for, and the immediacy of, access and communication: Through e-mail; instant messaging; voice-over-IP (VoIP); access to web content; near-instantaneous transmission of large documentation sets; transmission of graphical and motion content; online meetings; online demonstrations, wireless communication, etc. We’re communicating more than ever – aren’t we?

Perhaps – but maybe we’re just communicating more often – not necessarily communicating with more or better information. For Business, we may merely be increasing the raw amount of communication – not necessarily enhancing the informing-content of what we’re communicating. It’s useful communication that counts in the business sense. The irony is that as we’ve expanded the width and immediacy of access and communication, we have found that we can no longer control discretion. To some degree too we’ve obliterated a natural, “built-in,” time for reflection and careful crafting of communication that existed with letter writing and hardcopy document preparation. We’ve enabled the “firing-off” of hasty, poorly constructed e-mails, and other text-enabled messages, which may not accurately convey that which we’re trying to express. We open the door for misinterpretation.

In years past we had more face-to-face meetings – we could readily assess an expectation for discretion based on who was in the room. We also had non-verbal cues, and the “real time” of collaborative assent, and dissent. Even when we communicated in remote methods, we often had a reasonable control to whom we imparted information. For example, we phoned discreet parties. In cases of documents and letters, we understood that physical recipients could control physical copies. There were no guarantees, of course, but there were many circumstances where we could make reasonable requests and assumptions. These former methods also had built-in time to care and reflect as we crafted those communications.

We now have little or no control on discretion when we communicate electronically. If you send an e-mail to someone, you cannot know to whom he or she will forward that mail. Even if they are the soul of discretion, you cannot know for certain that no one will take advantage of unauthorized access to that e-mail. Instant messages can be intercepted too. Whereas the interception of physical mail or documents often left evidence of such interception, the interception of electronic communication often leaves no real trail.

Another liability of electronic communication is the sheer volume of it. Ever more sensitive communications are conducted remotely via text. You cannot be certain how a recipient will interpret, or misinterpret, your communication, yet you may not have the luxury of waiting for a ‘face-to-face’ in today’s high-speed world. Recipients may become angry at something they perceive, but which isn’t actually “there.” Perhaps in your haste you’ve sent an inelegant, or poorly thought-out communication. Perhaps you even deliberately sent a missive that you immediately regretted sending. Misunderstandings can become, simply, a “text-enabled” miscommunication due to the lack of time for reflection. The same goes for any other electronic communication.

For this reason, prudent people and organizations are very circumspect in their communications these days. This obviously applies to criticism. The effective management and use of criticism is an absolute must within the realm of electronic communication.

The reality and perception must be that all communication is being made on a “business forward” basis; this lessens the opportunity for misunderstandings and misapplication of suspicion.

When we receive criticism, we generally have a sort of internal evaluator – we immediately know if the criticism is warranted, and thus constructive. Call it a gut feeling. Regardless, when receiving criticism you must always ask yourself: Is there merit in any, or all, of this?

Generally speaking, we know criticism is valid if we hear something from more than one person or department; if the originator of the criticism knows a great deal about the subject; and if the originator is known to apply reasonable standards of behavior. The criticism is motivated by a desire to help, and provides solid suggestions or directions for positive change.

When you receive constructive criticism, and the criticism is accurate, the best response is, of course, to agree. You should summarize the criticism so that the deliverer is satisfied that you heard him or her accurately. Ask questions as necessary – be certain that you understand the criticism. As necessary, ask the deliverer how they would improve things, or what improvements they need. Thank this person for bringing matters to your attention.

Handling and Responding:

When you are the recipient of constructive criticism, you should:

1) Understand the criticism.

2) Ensure the deliverer knows you understand.

3) Know exactly what needs to be done to improve your work or the situation – in other words, know what is necessary to meet expectations.

4) Arrive at a consensus for a course of action.

5) Thank the deliverer for their direction, suggestion, advice, etc…

6) Make the improvements, fix the problem, change behaviors, etc.

7) Participate in follow-up, or check back with the deliverer to confirm that everything is satisfactory.

In the case of process or behavior-driven criticism, we’ve all been a recipient at some point; whether we’re Business or IT, whether we’re senior or staff. Remember that everyone deserves to be managed, so in essence, everyone deserves to be criticized. We all need guidance from time-to-time. For the most part, we’re making good faith efforts within the scope of our knowledge, time, and other resources – but we can’t see and do everything at once. Whether you are on the delivering or receiving end of criticism, always remember that part of supervision is Super Vision. The critic has the luxury, generally, of flying above the trees and having time to look at an overall perspective. The deliverer too is generally the person who has the big picture details in advance of everyone else, and can best sense the necessary corrections to course. Comparatively, the recipient of criticism is generally the person down in the trees, handling things on a more granular basis, focusing on things that are directly in front of them. With this perspective in mind, there is no reason for the recipient to take umbrage at properly delivered criticism.

Keeping this perspective in mind helps the critic to make criticism more palatable for the recipient. Criticism becomes less of a “see-saw”; each party on opposite ends of an issue, one side up, and one necessarily down. Rather, criticism becomes a lever that both sides puts their hands on, in order to wield it in the same direction for better outcomes. Criticism becomes a mutually employed tool, exercised with equal effectiveness by both parties.

Criticism should be viewed from all angles as a “win-win-win” undertaking: a win to the critic; a win to those critiqued; and a win to the organization.

[Please see earlier entries in this series, below, if you haven’t already]

Whether behavior is deliberately negative or simply wrong because of ignorance, we need to expose the behavior to the individual or team. This also acknowledges the critic’s awareness of the situation in the recipient mind. When instigating a change in behavior, we find ourselves in the position of talking to an individual, or team, about performance or conduct that can be interpreted as an overly personal criticism. Actually, this criticism is rather personal. In terms of the individual, you are criticizing the person’s behavior, and that is central to the person. Even a performance review of a team, in a team meeting, can cause members to view criticism on a personal rather than a business basis. It is important to make the delivery so that it is truly received, while at the same time maintaining its focus. In other words, you must make the point without rankling the recipient – otherwise you risk the recipient’s erection of a defensive barrier, which inhibits effective communication. How to best achieve this?

Again, it’s best to start with a positive. Highlight something that you like about the person’s character or recent behavior in handling a situation:

“John, I’ve received a lot of compliments on your support at the desktop. Accounting was especially happy with how smooth the upgrade to the payroll software went. Several people complimented you – your care and concern insured that they were able to work effectively in processing last week’s payroll. I do need to make you aware, however, that just recently several people have complained of a sort of arrogance on your part. Specifically, you’ve been telling quite a few people lately that you’re very busy, and that you’ll ‘get around to them when you get around to them.’ Have you said that to people, and is it possible you’ve been rude?” [Here, we would pause to confirm whether John felt that this was an accurate assessment of his behavior]. “John, there is no excuse for rudeness in the support arena – ever. Generally speaking, people will engage others based on how they’re treated. Working on a friendly basis, no matter how difficult the circumstances, is a heck of a lot better than the alternatives. So, being busy is ok. But failing to provide people a courteous estimation for when you can help them is not. Most will be reasonable if you can at least give them a general indication when you can get around to them. If you’re feeling pressure you can also ask the team for help, and you can solicit my help in balancing your load. You need to make an immediate adjustment to your attitude so that you don’t create the wrong impression amongst the users. I don’t want to see you damage your reputation, as people trust you and generally compliment you. I know the Accounting project went well because you kept everyone informed during delays, and since everyone felt informed they were very pleased with the way that went. You’ll find people much more cooperative when you keep them genuinely informed. We all either help or hurt the department as a whole through our attitudes, so let’s all give each other a break and put our best face out there. Thanks, John”

Let’s note here that we’re discussing constructive, justified criticism, so we’re stating as a given that John was actually rude, was a normally courteous employee with a history of positive work, and needed exposure to his behavior so that he could take corrective action. (Note: In cases where a productive employee suddenly loses efficiency, or starts to have behavior problems, we definitely want to find the source of the problem. It may even be something outside of the workplace. If someone doesn’t respond to constructive criticism, then we cross the threshold into formal counseling; here we’re focused on how a quality staff best delivers and handles criticism).

Expose Negative Outcomes: When criticizing behavior, it is essential to point out the actual negative outcomes, as well as the inevitable future ones, that are sown by negative behavior. Frequently, an individual is not aware that their behavior is negative, or can be perceived that way. In John’s busy state, he probably thinks he is helping himself by letting people know that he is harried and not immediately available (when in actuality he is hurting himself). Also, his communication, as empty as it is, will nonetheless set a flag in his mind; that is, a belief that he set some kind of expectation in the user’s mind. They know not to expect me any time soon.

What’s missing is his appreciation that his communication is coming off as uncivil and unhelpful – which erects a barrier to the transmission of actual information in either direction. In his case, no information is following anyway: “I’ll get around to you when I get around to you.” “Great,” the user thinks, “I know not to expect you soon – but when can I expect you?” No useful expectation is being set in the users’ minds.

So, the critic must first expose the present condition of behavior; show the liabilities of the behavior; next describe the corrective behavior; and then discuss the benefits yielded by the amended behavior.

For criticism of behavior or process, constructive criticism should do four essential things:

1) Expose and acknowledge any existing quality in behavior or a process.

2) Make sure to expose and address the real issue.

3) Express exactly what needs to be done to improve the situation – and

4) Provide follow-up.

Following Up: After delivering criticism, you need to do a very important thing: follow up. Even if you are made aware of the result of your critique from some other source, it is important to show the recipient of the criticism that it was a professional communication – and therefore, you as the critic need to provide a direct closure. You show that the criticism’s motivation was due to a vested care and concern for the issue – not just an opportunity to exert power over someone, or to “pick on” somebody. The follow-up can happen as an assignment; for a recipient to report to the critic upon completion of something. It can also be a “drop-in” session on the part of the deliverer.

An Example of Follow-Up: Debbie, thanks for working to correct those reports for Marketing we spoke about last week. Marketing is very happy now. They can proceed with their sales forecasting. The follow-up helps to certify that we’re communicating on a business-basis, not on any kind of personally motivated agenda. It helps the listener’s internal voice anchor the context as business: That was important; Marketing needs accurate information. I’m glad I was able to tell my supervisor that the marketing reports were corrected and that everything is ok. It is a further acknowledgement for the criticism’s importance, and shows that the critic had weighted that communication with importance.

When the recipient is able to provide a positive answer regarding his or her effort in making an improvement, and in supporting an issue, they get a positive feeling in that they:

1) Made an improvement.

2) Met the deliverer’s (in this case, the supervisor’s) expectations.

3) Met others (in this case, Marketing’s) expectations.

4) Were recognized for their effort.

Proper follow-up acknowledges that responding to criticism with positivity and improvement is necessary and worth it in this organization.

Never issue criticism without a follow up. Lack of follow up can undermine authority and respect – respect for the deliverer and respect for the process. The recipient can be left to think that the matter wasn’t truly of consequence in the deliverer’s eyes, or that the matter isn’t an overall priority (which it is, if it merits criticism). Lack of follow up will generally weaken future communications of this nature. It will contribute to a lack of focus and gravity the next time constructive criticism is delivered. Follow-up also provides an important opportunity to praise the recipient’s efforts (assuming expectations have been met).

Please see Parts I and II of this series, below, if you haven’t already.

Constructive Criticism: Most people understand the concept of constructive criticism. It comes our way in a formal sense during a performance review, for example. It also comes to us in an ad hoc way from supervisors, peers, etc., in the form of direction, suggestions, and advice. This criticism should mean that the deliverer is coming from a strong position of experience, knowledge and fact. Constructive criticism (or valid; justified criticism) is meant to help.

– Motivation: People who provide constructive criticism are helpful, and motivated by a sincere desire to expose an issue in order to better its standing. People who take the time to provide this kind of criticism do so under one of two broad conditions: they either provide criticism in a forum specifically designed for the delivery of it (such as a performance rating, formal counseling session, etc.) or within a general circumstance, such as a status meeting, drop-by visit, hallway conversation, etc. All constructive criticism is important, but realize that formal critiques are more than mere motivators – they are requirements. It is within these required sessions that we find the true motivators for criticism – they are specific critiques that have the same basic reasons to generate relevant criticism (and praise) as any other general criticism that comes our way: exposure of issues and actions for betterment.

Whether constructive criticism comes in a required forum, or is delivered outside of any strict format, formula or timetable, it is handled with this in common: It needs to be acted upon. This realization allows us to make our discussion of criticism more efficient, since, whether formal or informal, we can now talk about a criticism’s motivators from the perspective of an actual driving event or situation. We can examine what causes the critic to specify and focus on a thing in particular. At the same time, we also have to look at the possibility that the critic is motivated by the receipt of his or her own criticism from somewhere.

Understand that regardless of specific situational motivators, all constructive criticism shares a common general motivator: the desire to help – or – helpfulness.

– Delivery: When criticism is genuinely constructive the deliverer is usually polite, and at least civil. Because the critic has the relevant experience, knowledge and facts for a given situation, those circumstances yield confidence. The critic is a calm and calming deliverer. The criticism’s content is clear, and there’s an articulated benefit expressed as an improvement to be had. If criticism is delivered optimally, there is an invitation for open discussion. Ideas can be exchanged, positions explained, and it is here that hidden issues or evolving circumstances can be exposed and examined. The deliverer should have enough knowledge and experience to know that criticism is generally a ticklish business. Sounding too critical can tune the listener out, or worse, cause the listener to become angry or defensive.

When discussing the delivery of constructive criticism, there are two sub types that we should examine in order to effect optimal delivery. One is targeted at process, or activities, external to inherent behavior. We will simply call this Process-driven Criticism. The other is targeted at inherent behavior, and things such as issues of character, and lapses in judgment. We will simply call this Behavior-driven Criticism. Let’s define each of these for this discussion:

1) Process-driven Criticism: Process-driven criticism focuses on activities that can be made better. The critic is generally focused on something narrow and discreet, though not always, and enjoys a confidence that, once an issue is exposed, the right people are on hand to make improvements. The criticism is meant to redirect or focus attention and energies. Usually, the recipients of the criticism are not the direct target. They are not deficient in performance – or, if they are, it is not the result of a character issue. They are hard-working, sincere, and qualified. They merely need guidance or input in order to make the required improvement. Criticism in these circumstances can be viewed as a “tune-up,” or “regular maintenance” of workplace issues – things external to the core character or behavior of the people.

2) Behavior-driven criticism: Behavior-driven criticism is meant to improve an attitude, to eliminate a bad habit, and to bring an individual, team or department back into standards of conduct. Usually it is directly targeted to a person or people. While there can be something narrow and discreet motivating this criticism, it’s important to understand that the behavior usually poses a general peril to anything it comes into contact with. In other words, the behavior has broad potential for negative outcomes. In these cases, the issue is such things as rudeness, anger, tardiness, sloppiness, dishonesty – things that reside, or are generated, within people.

Of course, better behavior yields better process, and better process can help morale and thus influence behavior. They are reinforcing. Frequently they are blended, and each is meant to contribute to better outcomes. But, there are important differences, and we need to understand the two for optimum delivery of criticism. Let’s take a look at delivery of these two:

Delivery of Process-driven criticism: Process-driven criticism is a little easier to deliver than behavior-driven criticism – it tends to be less personal. It is only indirectly linked to behavior or performance. For example, someone can be making the best faith efforts, and doing very sincere and good work overall, but there may be one or a few things that they are doing, simply put, wrong. Or, perhaps they’re just doing something “the hard way,” and therefore they’re not being as efficient as they can be. A person, a team, or a department may simply need the guidance that anyone is entitled to in the course of regular management.

When criticism happens between departments, or between disciplines such as Business and IT, there are special sensitivities and vulnerabilities. These apply even between organizations, such as yours and a vendor, or between agencies that have new working relationships. It is especially important to provide critical feedback effectively so as not to injure relationships. Yet in all of these circumstances, friction between parties, or a potential for friction, should not dissuade us from candor, nor from taking appropriate action. It is important to realize that progress requires traction, and traction requires friction. Friction in this case can be thought of as a facilitator of progress – you can risk someone’s irritation or initial grumbling, but the objective is to get the issue out in the open, to address it, and to better it. In any case, criticism must be dispatched correctly, and received correctly – therefore, both parties must keep their eyes on the prize: They should be focused on the desired outcome.

When Business criticizes IT, it is important for Business to keep in mind that they hold the real power: IT is there for Business, so there should be no reason to be heavy-handed. At the same time, Business requires a certain level of performance from IT; the objective of the criticism, therefore, is to expose IT to a business consequence. There also has to be exposure to the positive business expectations resulting from overcoming or avoiding the consequence.

In addition to showing a benefit to clearing a negative, it is very powerful to show additional benefits. Often we think of criticism as purely addressing something negative, therefore it is too often employed to “clear negatives” without going further. Clearing a negative returns you to a zero point. Rise further on the scale into a positive zone. Seek further positives from the criticism – they always exist for discovery. By seeking further positives from criticism, we pull criticism itself UP into a positive tone and posture. Indeed, when providing any kind of criticism, it’s helpful to start with a positive facet of the issue, which is a common “trick” – there should always be something positive to find and highlight. But further, bracket the criticism’s main point on the back end with additional positives to be had. As an example:

“Bill, the test module of the Exhibit Hall Space Manager was made available right on time – thank you. My staff has given me some positive feedback on it, and the changes we asked for are a real help. Great work. But, there were quite a few changes in the module’s screens that we didn’t ask for, or expect. The staff felt put upon because they had to stumble through the module. They had to re-familiarize themselves with the flow and process of it before they could get to the evaluation of our business-inspired changes. A lot of the data entry aspects, and the way the screens related to each other, didn’t reflect our training, nor the way the prior version of the module was laid out. Can we prevent these unanticipated changes in the future, or, if the vendor or IT has to make changes that aren’t at our request for reasons we’re not aware of, can we get a heads-up? Some quick familiarization for unanticipated changes will help our staff maintain a better attitude about it. In addition, it will help us get our required feedback to IT that much faster. It might even help us understand some of your logic behind the unanticipated changes, and we might be able to weigh in with suggestions on that too – we’re willing to pitch in any way we can.”

So here we have a problem with staff feeling put upon. They expected positive traction whereby they would receive a familiar test module back, against which their requested changes would readily show. Instead, they got their changes along with other changes to the fundamental product – they found their changes “swimming” in a sea of larger, unanticipated changes. It should be clear in this circumstance that it was a rather rude realization that the product had changed to the degree that the staff no longer felt familiar with it. Their criticism is justified by the reasons for it. It is highly constructive. The critic starts on a bona-fide positive, then specifies a problem, makes a suggestion to remedy the specific problem, and goes beyond in describing a couple other potential benefits to be had by the proposed remedy.

Remember this too – even if your additional, attempted “positives” can’t be utilized, you’ve still provided a positive in that your attitude comes through loud and clear: We’re here to help. We’re all pulling in the same direction.

In Part I, we noted that there is danger in criticism if it is not properly mounted and delivered. If we’re not careful, we can build resentments – we damage relationships between people, departments, and even allied organizations. We create avoidance to people and issues, we slow progress, we hamper business. Repair is costly. So, we have to take special care with criticism and its disposition in all circumstances. When we do, we find that proper criticism and proper reaction to it helps to expose important issues and aids in the resolution of problems. Criticism must always satisfy a very important question with an unqualified “Yes for an answer: “Does this move business forward?” Therefore, criticism must have a positive motivator, helpfulness in spirit, and a benefit to be had in the form of suggestion and outcome. Valid criticism has value – business value.

Once we know this, we realize that we need to manage criticism under a dizzying variety of circumstances. It must be managed at all levels of the organization; criticism between individuals, as well as between and within departments. Criticism must be managed between organizations that have relationships: it is dispensed between discreet organizations involved in shared missions and outcomes – vendors, solutions partners, regulatory agencies, “sister” organizations, chains, and so on. Here there is a special risk: poorly managed criticism can severely damage effective cooperation between allied organizations, particularly when it is motivated by protectionism and jealousy.

On a local level – your specific environment – there is a critical need in keeping individuals on balance. Those technical people directly supporting business on a daily basis are in a particular zone: They face business staff that needs to accomplish business, often under pressure, and these support people can face a larger proportion of criticism than the average staff. The supported business people, in direct contact with their support half, are also in a target environment.

The good news is that criticism, large and small, is essentially handled the same way. If we’re able to take a dispassionate, objective, look at the full range of criticism – from whiny, empty, counterproductive carping – through criticism wielded as a weapon – and on to the valid critiques, suggestions, sound advice, and requirements – then we’ll be much more adept at recognizing and handling criticism. We can vet criticism in defusing negativity and leveraging the positive to yield better outcomes.

As we consider the receiving end of criticism, we see that too many of us assume that our efforts should be immune from criticism. In that unbalanced posture, we cannot fail to resent criticism – no matter how on target, and no matter how expertly delivered. Reasons vary, but perhaps it’s because we feel we’re doing an excellent job: we’re putting in extra hours (without being asked!), we’re “carrying” our department (“they’d be in big trouble without me”), or maybe criticism just catches us on a bad day. Often, we feel that we’re doing the best we can in murky circumstances (another reason to get the Weave under control). Therefore, when criticism is directed at some of us, we respond in a negative fashion – with negative outcomes. Responding to criticism with anger, sarcasm or defensiveness is counterproductive. At the same time, it’s counterproductive for leaders to allow others to engage in invalid criticisms. If we don’t take care, this can become a self-reinforcing cycle; for the individual, and even for the organization. Criticism and its disposition, as much as anything else, influences the organization’s culture.

Maintaining a Balance in the Face of Criticism: We need to keep a balance in our reaction to all criticism because there is value even in much criticism that is poorly delivered. There can be merit in critiques that are rude, or even delivered in “attack” mode. Too, we can recognize criticism at the bottom end of the scale, and dispose of empty criticism through appropriate channels before it spreads and infects other opinions and attitudes to the detriment of the organization. It helps to build an immunity to the negative sort of criticism that, unfortunately, permeates certain endeavors. With experience, knowledge, and well-placed faith in the organization comes a patience that, however unjustified and harmful some criticism may seem, it can be handled and disposed of in a forum sanctioned by the organization. When people see an organizational maturity regarding criticism, they have faith that unjustified criticism will be “outed” and shown to be that which it is. This creates a better balance in all things as we strive to serve the better business interests.

We also need to take a look at the sponsors of different sorts of criticism and learn how best to handle those people. It is always helpful, and in most circumstances downright necessary, to consider the source. Here it is especially important to maintain a balance, as many critics are powerful people.

For leaders, criticism can bring a particular kind of pressure. Too much pressure for anyone can lead to an imbalance: the stumble of mistakes that otherwise wouldn’t be made. Pressure can yield bad judgments. Managers – Business and Technical alike – should watch for undue sensitivity to criticism; in themselves and in helping others. Ultimately, everyone needs to inculcate a healthy perspective to criticism – this includes the deliverer and recipient. Balanced people are aware of the appropriate, positive, responses to criticism – again, valid and otherwise. This healthy perspective toward criticism, and the appropriate method in delivery, receipt, and disposition, will defuse sensitivities and lead to progress. None of this is to say that we should ignore egregious instances of pure belittlement. Leaders need a balanced, objective, ability to weigh criticism, assign the relevant worth, and dispatch or handle it on that assigned basis.

Cloaked Criticism: As mentioned above, there can be validity in criticism that is poorly delivered. This leads us to acknowledge a category of criticism that is generally not addressed in other discussions. It is a category that is especially important to IT and Business, as we cannot afford to miss important requirements and details (regardless of source). Simply: It is either constructive or destructive criticism that has the appearance of the other.

For example, you may receive “constructive” criticism that has you doing busy-work at the expense of emerging priorities. The critic may have a good heart, but in this case the criticism will destruct our efficiency. Too there is criticism that has the appearance of destructive criticism, but which nonetheless contains merit. In pressure environments, criticism that is often legitimate (therefore valid), gets perceived as unjustified criticism: it is criticism that comes to us in anger, or as an attack, due to the deliverer’s own pressures – and therefore it is poorly expressed. Regardless, the issues may be legitimate. If something is in dire need of attention, we can’t afford to miss it just because we don’t care for the critic or his/her delivery.

Therefore, in all cases we need to recognize that criticism isn’t always packaged correctly – like anything else, the delivery of criticism won’t be perfect – it won’t be branded, test marketed, and wrapped with a bow.

As some “constructive” criticism can yield poor outcomes, and because some “destructive” criticism can have value in part or all of it, we’ll discuss how to recognize cloaked criticism. We can then handle it according to what it truly represents; we pan for the legitimate portions of critical information, and neutralize whatever remains.

Next up – An order of discussion:

¨ Constructive Criticism

Motivation

Delivering

Following Up

Receiving

Handling

Responding

¨ Destructive Criticism

Motivation

Guarding against Delivery of Unjustified Criticism (or that perception)

Receiving

Handling

Responding

¨ Cloaked Criticism: In Between Constructive and Destructive Criticism

Why The Criticizing of Excellence? Because that phrase snaps all criticism into an important perspective: Once it’s understood that criticism is going to come, regardless of circumstances, we can recognize that fact, accept it, and effectively deal with it. For most of us, dealing with criticism is not the best part of our day – whether dispensing or receiving it. Poorly managed criticism, and critics, can impair business. If not carefully managed, criticism can set up a sort of negative ping-pong exchange of recriminations, attendant “scoresheets,” and possible “get even” scenarios. Preventing this sort of atmosphere is far easier than repairing an environment that has been allowed to drift. You don’t want personalities clashing. We must not allow problems between powerful people to be woven into your organization’s fabric, nor must we allow other impairing critics to exist.

Many an organization suffers through the “silo-ing” of departments and the resultant impairment of communication and efficient business. Working through a minefield of political liabilities is what mucks up many good faith endeavors. But that’s largely because most people haven’t learned what criticism really is meant to be, and how it is to be used (both in its delivery and in its receipt). When we understand the nature of criticism, we learn to value criticism. In learning how to value and use criticism, we need to recognize constructive (or justified, valid) criticism – and destructive (or unjustified, invalid) criticism – and we need to act on criticism to effect the appropriate outcomes.

Why address criticism here? Let’s establish a little background: In a field as challenging, dynamic, and high profile as IT, there is much that presents a ripe target for criticism. At the same time, the pressures faced by Business (the business stakeholders), and their demand for quality support and services, generally means that Business has a fully stocked quiver of critical arrows. Yet, healthy criticism is necessary to the Business-Technology Weave. Critical evaluation and communication will be ongoing. This, paired with the challenge in creating, interpreting, and implementing a Business-driven IT strategy, makes it extremely important that we understand criticism and how to wield it. If you’re not making effective use of criticism, then you not only lose out on the positive lever to be had in progressive business, but you allow the deployment of a negative, depressive lever. Particularly in circumstances where we suffer divides, and have not yet achieved a proper Business-Technology Weave, there is that tendency to mount criticism from a less than fully informed perspective. When we combine that with a natural tendency to bristle at criticism, and mix in the resultant impairments, we find that we have a “perfect storm” formula for significantly diminished returns.

We’ll continue this as a series, and we’ll examine both criticism’s potential dividing force, as well as its proper wield and yield: That is, how to mount appropriate criticism, for contribution to solid business-IT gains.

About This Blog

The Business-Technology Weave is written by David Scott, an author and consultant with 30 years’ experience in helping to define business-driven IT strategies, in achieving business-serving ones. His book, I.T. WARS, became an MBA-text that has been utilized at more than 40 universities worldwide. The book and this blog define a new business-IT culture that helps to close divides, direct purpose, and achieve results through new and needed best-practice principles.